CLAIMS 

V What is claimed is: 

1 A A system for generating, installing to a plurality of linked remote computers, and 
\ monitoring a secure network of nodes, said system comprising: 
\a. at least one software application; 

BV an installation server, configured to facilitate installation of said at least one 
\ software application; 

C. V generator, configured to generate a plurality of software components from a 

network definition, including a plurality of agent modules, wherein each agent 
modme is executable on a corresponding remote computer to initiate 
commumcation with said installation server and subsequent installation of a 
corresponding software application on said remote computer to form a node, 
wherein eacnSof said nodes is capable of automatically establishing 
communication Nvith others of said nodes according to said network definition; 
and \ 

D. a monitor node configured to monitor security of said network. 

2. A system according to claim 1, whetein the remote computers are linked substantially by 
the Internet. \ 

3. A system according to claim 1, wherein the remote computers are linked substantially by 
an intranet. \ 
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4. \ A system according to claim 1, wherein said network definition includes a plurality of 
node definitions, each node definition including: 

(i) an identification of one of said plurality of remote computers; 

(ii) an identification of at least one software application to be installed on said 
remote computer to form a node; and 

(iiiV an identification of each other node to which said node is to be linked. 

5. A system according to claim 4, wherein said identification of each of said plurality 
remote computers includes: 

C. (i) (a) IP address; and 

(b) a node name. 

6. A system according to claim 1, ^^erein said plurality of software components fiirther 
includes: 

C. (i) a plurality of node confi ^ration files, wherein a different one of said node 
configuration files corresponds to a different node and includes 
information for facilitating selective communication with others of said 
nodes according to said network deS^nition; and 
(ii) at least one network information file, h^ing information corresponding to 
substantially all links between nodes and accessible by said monitor node 
to facilitate the selective linking of said nodes 
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A system according to claim 1 , wherein said installation server is configured to facilitate 
said installation of said corresponding software application as a ftinction of a verification 
hat said agent module is executing on said corresponding remote computer, according to 
sam network definition. 

8. A system according to claim 1, wherein said installation server is configured to facilitate 
said installation of said corresponding software application as a ftinction of a verification 
that said agenrsmodule has not been previously installed. 

9. A system according\o claim 1, further including a second monitor node configured to 
determine the presenceVf an interposed, unintended node. 

10. A system according to claim K wherein said monitor node is further configured to 
selectively terminate operation and connection of one or more tainted nodes in response 
to a detected security violation. 

11. A system according to claim 10, wherein said installation server is fiirther configured to 
initiate a regeneration of a set of said software components, reinstallation of said at least 
one software application, and selective relinking tospther nodes for each of said 
selectively terminated one or more tainted nodes and according to said network 
definition. 
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12. \ A system according to claim 1, wherein said monitor node and each of said nodes 

Vommunicate using secure data transfer. 

13. A syWm according to claim 12, wherein said secure data transfer is accomplished using 
data encryption, and wherein data transferred in each direction between two linked nodes 
is encrypted differently. 

14. A system according to claim 13, wherein each of two linked nodes uses a unique pair of 
encryption keys to accomplish said data encryption, and each pair of encryption keys 
includes a substantially mdden private key and a public key. 

15. A system according to claim l\ wherein said monitor node is further configured to 
selectively initiate a coordinated strobing of each pair encryption keys between two linked 
nodes. \ 

16. A system according to claim 1, further including: 

E. an account server, configured to generatesbilling information as a function of the 
selective linking of said node to said other nodes. 

17. A system according to claim 1, wherein said installation server is configured to 
communicate with each of said plurality of remote computers i^ing data encryption. 

G:\BSIL\110cp\Applncp2.wpd 11/16/99 \ 



I8v A system according to claim 17, wherein said installation uses a randomly generated 
\ private key and public key pair for data encryption, wherein data to be transferred to said 
ir^tallation server is encrypted using said public key and is decrypted by said installation 
serveiuising said private key. 

19. A system according to claim 18, further including: 

E. a second monitor node, configured to compare the installation server public key 
with the encry^ion key used by one of said plurality of remote computers to 
encrypt data sent th said installation server, a negative comparison being 
indicative of a securi^violation. 

20. A system for generating, installing ttta plurality of linked remote computers, and 
monitoring a secure network of nodes, s^d system comprising: 

A. at least one software application; \ 

B. an installation server, configured to faciJitate installation of said at least one 
software application; \ 

C. a generator, configured to generate a plurality\)f software components from a 
network definition, including a plurality of agent modules, wherein each agent 
module is executable on a corresponding remote computer to initiate 
communication with said installation server and subsequent installation of a 
corresponding software application on said remote computer to form a node, 

74 \ 
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wherein each of said nodes is capable of automatically establishing 
communications with others of said nodes according to said network definition; 
and 

^monitor node configured to monitor security of said network, wherein said 
litor node and each of said nodes communicate using secure data transfer. 



21. A system according to claim 20, wherein said secure data transfer is data encryption and 
each of two linkedNiodes uses a unique set of encryption keys to accomplish said data 
encryption. 

22. A system according to claim^21, wherein said encryption keys are substantially randomly 
generated. 

.23. A system according to claim 21, wllerein each set of said encryption keys includes a 

hidden private key and a public key, and said public key is used by a first node in a link to 
encrypt data transmitted to a second node\in the link, and said private key is used to 
decrypt said data by said second node. 



24. A system according to claim 21 wherein said monitor node is further configured to 
selectively initiate a coordinated strobing of each set o^ encryption keys between two 
linked nodes. 
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1 25\ A system according to claim 21, wherein said monitor node is further configured to 

2 \ effectuate persistence of said encryption keys, and wherein when a first set of encryption 

3 \ keys used by two linked nodes is strobed, a second set of encryption keys is randomly 

4 generated, and said first and said second sets are stored in a memory, such that when one 

5 or bVth of said two linked nodes loses its connection with the other of said two linked 

6 nodes )^aid two linked nodes attempt to reestablish said connection alternatively using 
1 said first and said second set of encryption keys. 

\ 

^ 1 26. A system according to claim 21, wherein said installation server is configured to 
2y communicate witkeach of said plurality of remote computers using data encryption. 

*P \ 
=P \ 

^ 1^ \ 

=5(1 \ 

1J£ 27. A system according to daim 26, wherein said installation uses a randomly generated 
, private key and public key\air for data encryption, wherein data to be transferred to said 

' installation server is encryptea\using said public key and is decrypted by said installation 

' 4[n server using said private key. \ 

1 28. A system according to claim 27, further including: 

2 E. a second monitor node, configured to compare the installation server public key 

3 with the encryption key used by one orsaid plurality of remote computers to 

4 encrypt data sent to said installation server^a negative comparison being 

5 indicative of a security violation. \ 
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1 29\ A system for generating, installing to a plurality of linked remote computers, and 

2 \ monitoring an auditible secure network of nodes, said system comprising an secure 

3 Vetwork: 

4 A at least one software application; 

5 B. \ an installation server, configured to facilitate installation of said at least one 

6 software application; 

/?^^ C. a g^^rator, configured to generate a plurality of software components fi^om a 

I networic definition, including a plurality of agent modules, wherein each agent 

^3 module is\executable on a predetermined corresponding remote computer to 

^9 \ 

1 Qg initiate communication with said installation server and subsequent installation of 

i \ 

1 f ^ a predeterminedscorresponding software application on said remote computer to 

; «F \ 

i*^ \ 

12"=^ form a node, whereiii each of said nodes is capable of automatically establishing 

lu \ 

1 3^ communication with others of said nodes according to said network definition, 

i- \ 

ICi and wherein said subsequent installation is contingent upon a first verification that 

h \ 

150 said agent module is installeovon its corresponding remote computer and wherein 

1 6 said installation is fiirther contingent upon a second verification that said software 

1 7 application is installed on its predetermined corresponding remote computer; and 

18 D. a monitor node configured to monitor security of said network. 

1 30. A system according to claim 29, wherein said installation server is configured to 

2 terminate said installation of said at least one software application on said corresponding 

3 remote computer if said agent module has been previouslynistalled. 
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3 1 . \ A system according to claim 29, wherein said installation server is configured to 

\terminate said installation of said at least one software application on said corresponding 
remote computer if said agent module is not installed on said corresponding computer. 

32. A systW according to claim 29 wherein said installation server is configured to perform 
said subsequent installation in response to receipt of a password entered at said remote 
computer, ^said first verification. 

.33. A system accordiW to claim 29, wherein said installation server is configured to 

complete said installation in response to receipt of a password entered at said remote 
computer, as said seconCi verification. 

34. A system according to claim 2\ fiirther including: 

E. a software component analVzer, configured to analyze said software components 
and determine the presence oitrap doors. 

35. A system according to claim 29, wherein saici installation server is configured to 
communicate with each of said plurality of remote computers using data encryption. 

36. A system according to claim 35, wherein said installatfon uses a randomly generated 
private key and public key pair for data encryption, wheredn data to be transferred to said 
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istallation server is encrypted using said public key and is decrypted by said installation 
server using said private key. 

37. A systein\according to claim 36, further including: 

E. a second monitor node, configured to compare the installation server public key 
with theSencryption key used by one of said plurality of remote computers to 
encrypt dark sent to said installation server, a negative comparison being 
indicative of a^ecurity violation. 

38. A method for generating, installing to a plurality of remote computers, and monitoring a 
secure netw^ork having a plurality of nodes, a generator, an installation server, and a 
monitor node, the method comprising the steps: 

A. creating a network definition, including information that describes each remote 
computer, at least one software application to be installed on each remote 
computer, and each link between noa^s; 

B. generating with said generator a plurality of software components, as a function of 
said network definition, including a pluraliW of agent modules, wherein each 
agent module is executable on a preselected one of said remote computers and 
includes functionality to communicate with said\nstallation server; 

C. executing an agent module on its corresponding remote computer, wherein said 
agent module automatically establishes communication with said installation 



server; 
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14 
15 
16 
17 
18 
19 
20 



^D. downloading, using said installation server, to said remote computer a 
corresponding at least one software application; 

E. \ executing said at least one software application on said remote computer to form a 
sjiode and automatically establishing a connection with said monitor node; 

F. selectively linking said node to others of said plurality of nodes according to said 
netvs^rk definition; and 

G. repeating steps C through F for each agent module and corresponding remote 
computer. 

The method of claim SSWherein step A includes identifying each remote computer by an 
IP address and a node name 



ass. 

St 

3lP 
4^9 



40. The method of claim 38 wherein\tep B fiirther includes generating: 

(i) a plurality of node corifiguration files, wherein each node configuration 
file corresponds to one of said nodes; and 

(ii) a set of network information files, including information corresponding to 
a plurality of links required toYorm said network. 



1 41 . The method of claim 38 wherein step D further includes verifying that said agent module 

2 is executing on a corresponding remote computer, accoi^ding to said network definition, 

3 as a prerequisite to downloading said at least one softwareVpplication. 
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42. \ The method of claim 41 wherein step B includes generating a unique local password for 
^each node and said verifying in step D includes: 

(i) entering said local password at said remote computer; and 

(ii) verifying said local password at said installation server. 

43. The method of claim 38 wherein step D further includes verifying that said agent module 
has not beqi previously installed, as a prerequisite to downloading said at least one 
software application. 

44. The method of claim 38 wherein step F further includes verifying that said software 
application is executing on its corresponding remote computer according to said network 
definition, as a prerequisite of selectively linking said node to others of said plurality of 
nodes. 

45. The method of claim 44 whereir^step B includes generating a unique audit password for 
each node and said verification in step F includes: 

(i) entering said audit password at said remote computer; and 

(ii) verifying said audit password. 

46. The method of claim 38, further including a step: 
H. terminating operation and connection onone or more tainted nodes, under control 

of said monitor node, in response to detection of a security violation related to 
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said tainted node. 



47. TheVnethod of claim 46, further including a step: 

1. \ repeating steps B-G for each of said one or more tainted nodes. 

48. The method of claim 38, wherein step B further includes generating for each node in a 
pair of linked nodes, a set of encryption keys, including a private key and a public key, to 
facilitate secureycommunication between said linked nodes. 

49. The method of clainMS, further including step: 

H. (i) selectinksaid pair of linked nodes; and 

(ii) strobing each set of encryption keys for said linked nodes. 

50. The method of claim 49, wherein said two linked nodes are a first node and a second 
node and said strobing includes tn^ steps: 

(a) ceasing data tWsfer between said first and second nodes; 

(b) randomly generating a new first private key for said first node; 

(c) deriving a new firsr\public key from said new first private key and 
storing said new first private and public keys; 

(d) encrypting said new first\public key with a current second public 
key of said second node anq^ transmitting said new first public key 
to said second node; 
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(e) decrypting with a current second private key said new first public 
key and storing said new first public key at said second node and 
randomly generating a new second private key; 

(f) deriving a new second public key from said new second private 
key and storing said new second private and public keys; 

(h) \ encrypting said new second public key with a current first public 
cey of said first node and transmitting said new second public key 
to\aid first node; 

(i) decryjs^ting with a current first private key said new second public 
key and stpring said new second public key at said first node; 

(j) exchanging Confirmations between said first and second nodes to 

use said new fir$J and second private and public keys; and 
(k) resuming data tranter between said two linked nodes. 

5 1 . The method of claim 50, wherein each pair of indeed nodes also uses at least one session 
key to encrypt data transferred between said linkeoNpodes and said strobing fiirther 
includes: 

randomly generating, exchanging and storing at l\ast one new session key for said 
linked nodes, between steps H(ii)(a) and H(ii)(k). 

52. The method of claim 50 wherein said strobing is strobing with persistence and said step 
H(ii) further includes saving said current first and second public and private keys. 
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53. \ The method of claim 38, wherein said network further includes an account server, said 

Vnethod further comprising the step of; 

h\ (i) communicating to said account server said linking of said node, in step F; and 
\ (ii) generating billing information related to said linking of said node. 

54. The method of claim 38, wherein step B includes generating a unique set of encryption 
keys for eacmnode and said monitor node. 

55. The method of clarm 54, wherein step E includes the steps of: 

(i) logging into s^id monitor node by said node using a unique encryption key from a 
corresponding set of node encryption keys generated by said generator; and 

(ii) logging into said node using a unique monitor node encryption key from a 
corresponding set of monitor node encryption keys generated by said generator. 

56. The method of claim 38, wherein sMd secure network further includes a second monitor 
node and said installation server communicates with each of said plurality of remote 
computers using a private and public encryption key pair, the method further including 
the step of: 

H. (i) comparing the public key of skid installation server with a key used by one 
of said plurality of remote computers to encrypt data sent to said 
installation server; and 
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(ii) issuing a security violation message, in the event of a negative 



comparison. 



57. 



A methocMbr generating, installing to a plurality of remote computers, and monitoring a 
secure network having a plurality of nodes, a generator, an installation server, and a 
monitor node, Wid network used for conducting financially related transactions between a 
custody system o^Ka bank and a trading system of a financial client, the method 
comprising the stepsyof: 

A. creating, by a rank sales department, a network definition embodying the network 
required by the financial client and to be generated, installed and monitored by the 
bank; 

modeling and testing smd network definition, by a bank development group; 

C. obtaining authorization from a bank network administration group and installing 
said network definition on sard generator, by said bank development group; 

D. obtaining by said bank sales group a sales password and authorization to install 
network from said network administration group; 

E. auditing on said generator a generated network definition by comparing said 
generated network definition to said net^rk definition and inputting said sales 
password as an indication of a favorable comparison, by said bank sales group; 



B 



obtaining by a bank audit group, an audit p^sword and authorization to install 
network firom said network administration group; 

auditing on said generator a generated network definition by comparing said 
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venerated network definition to said network definition and inputting said audit 
jssword as an indication of a favorable comparison, by said bank audit group; 

H. geikrating with said generator a plurality of software components to be installed 
on said plurality of remote computers to form said plurality of nodes of said 
network, said components including: 

(i) a plurality of agent modules, each agent module having the capability to 
ish communications with said installation server; 

(ii) a local sales password, for each agent module; 

(iii) a local auoi^ password for each agent module; 

I. registering said agent\modules with said installation server, wherein said 
installation server has access to at least one or more bank custody software 
applications to be stored oireach of said plurality of remote computers to form 
said nodes, according to said network definition; 

J. communicating to each remote computer a corresponding one of said local sales 
passwords to a sales department representative; 

K. communicating to each remote computed a corresponding one of said local audit 
passwords to an audit department represenmtive; 

L. executing each agent module on its correspomling remote computer, entering said 
local sales password to verify that said agent module is installed on its 
corresponding remote computer according to said network definition, and 
dovmloading said corresponding at least one bank custody software application; 

M. executing each of said at least one software applications on its corresponding 
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N. 



remote computer, establishing communication with said monitor node, entering 
said local audit password to verify that said at least one software application is 
istalled on its corresponding remote computer according to said network 
definition; and 

selectively linking said nodes into said network. 



58. A method for generating, installing to a plurality of remote computers, and monitoring a 
secure network haviW a plurality of nodes, a generator, an installation server, and a 
monitor node, whereinVhe secure network is used for the exchange of confidential data 
between a first system of ^. first group and a second system of a second group, the method 
comprising the steps: 

A. creating a network defikition, including information that describes each remote 
computer, at least one first group software application to be installed on each 



B. 



remote computer, and each Itek between nodes; 
generating with said generator k plurality of software components, as a function of 
said network definition, including a plurality of agent modules, wherein each 
agent module is executable on a preselected one of said remote computers and 



D. 



includes functionality to communicate with said installation server; 
executing an agent module on its corresponding remote computer, wherein said 
agent module automatically establishes communication with said installation 
server; 

(i) human auditing and verifying that said agent module is installed on its 
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1 7 \ corresponding remote computer according to said network definition by a 

1 8 \ third group; and 

19 (ii) \ downloading, using said installation server, to said remote computer a 

20 Corresponding at least one first group software application; 

2 1 E. (i) executing said at least one first group software application on said remote 

22 computo to form a node and automatically establishing a connection with 

23 / 1/ said moimor node; and 

241/ (ii) human auditing and verifying that said at least one first group software 

25 application is iWalled on its corresponding remote computer according to 

P \ 

260 said network definition by a fourth group, independent from said third 

=.E \ 

271= group; \ 

\ 

28^ F. communicating with others of said plurality of nodes according to said network 

' W \ 

2^ definition; and \ 

3Q4^ G. repeating steps C through F for each agent module and corresponding remote 

3 IP computer. \ 

320 \ 

33 59. The method of claim 58 wherein said confidential datais financial data and said first 

34 system of said first group is a custody system of a bank and said second system of said 

35 second group is a trading system of a financial services groiip. 
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